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TRAFFIC MONITORING TOOL FOR BANDWIDTH MANAGEMENT 



i 



RELATED APPLICATIONS , 

• •••• 

This present application claims priority to U.S. Serial No. , 
(Attorney Docket No. 018430-000300) filed December 5, 1997, and U.S. Serial No. 
60/047,752 filed May 27, 1997, which are both hereby incorporated by reference for all 
purposes. , 

, BACKGROUND OF THE INVENTION i im 

The present invention relates to communication or telecommunication. 
More particularly, the present invention provides a technique, including a method and 
system, for monitoring and allocating bandwidth on a telecommunication network at, 

! . 

for example, a firewall access point. As merely an example, the present invention is 

1 ■ i 

implemented on a wide area network of computers or workstations such as the' Internet. 

But it would be recognized that the present invention has a much broader range of 

applicability including local area networks, a combination of wide and local area 

networks, and the like. 

Telecommunication techniques have been around for numerous years. In 

the early days, people such as the American Indians communicated to each other over 

long distances using "smoke signals." Smoke signals were generally used to transfer 

visual information from one geographical location to be observed at another 

geographical location. Since smoke signals could only be seen over a limited range of 

geographical distances, they were soon replaced by a communication technique known 

as telegraph. Telegraph generally transferred information from one geographical 

location to another geographical location using electrical signals in the form of "dots" 

and "dashes" ovetCtransmission lines. ; An example of commonly used electrical signals is 

Morse code. Telegraph has been, for the most part, replaced by telephone. The 

telephone was invented by Alexander: Graham Bell in the 1800s to transmit and send 

voice information using electrical analog signals over a telephone line, or more 

commonly a single twisted pair copper line. Most industrialized countries today rely 

heavily upon telephone to facilitate communication between businesses and people, in 
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general. ' i - _ • :■[.'. \- '■■ ' 

In the 1990s, another significant development in the telecommunication 
industry occurred. People began communicating to each other by way of computers, 
which are coupled to the telephone lines or telephone network. These computers or 
workstations coupled to each other can transmit many types of information from one 
geographical location to another geographical location., This information can be in the 
form of voice, video, and data, which have been commonly termed as "multimedia." . ? 
Information transmitted over the Internet or Internet "traffic" has increased h ^ - ! 
dramatically in recent years. In fact, the increased traffic has caused congestion, which 
leads to problems in responsiveness and throughput. This congestion is similar to the 
congestion of automobiles on a freeway, such as those in Silicon Valley from the recent 
"boom" in high technology companies, including companies specializing in 
telecommunication. As a result, individual users, businesses, and others have been r/ 
spending more time waiting for information, and less time on productive activities. For 
example, a typical user of the Internet may spend a great deal of time attempting to 
view selected sites, which are commonly referred to as "Websites," on the Interneto 
Additionally, information being sent from one site to another through electronic mail, 
which is termed "e-mail," may not reach its destination in a timely or adequate manner. 
In effect, quality of service or Quality of Service ("QoS") of the Internet has*decreased 
to the point where some messages are being read at some time significantly beyond the 
time the messages were sent. 

Quality of Service is often measured by responsiveness, including the 
amount of time spent waiting for images, texts, and other data to be transferred, and by 
throughput of data across the Internet, and the like. Other aspects may be application 
specific, for example;, jitter, quality of playback, quality of data transferred across the 
Internet, and the like. Three main sources of data latency include: the lack of 
bandwidth at the user (or receiving) end, the general Congestion of Internet, arid the 
lack of bandwidth at the source (or sending) end. - 

A solution to decreasing data latency includes increasing the bandwidth of 
the user. This is typically accomplished by upgrading the network link, for example by 
upgrading a modem or network connection. For example, the network link may be ; 
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upgraded to X2 modems, 56K modems, ADSL or DMT modems, ISDN service and 
modems, cable TV service and modems, and the like. Drawbacks to s these solutions 
include that they typically require additional netwprk'service^they also require 
additional hardware and/br software, and further they require both the sender and 
receiver to both. agree Qn using the same hardware and/or software. Although one , 
, user may.have a much faker line -or, faster modem, another user may still rely on the 

sairte lj20D kb^ud modem. Soothe speed at which information moves from one location 
to another location is often determined by the slowest information which is being 
H^ansferiied owr.the network/. Accordingly, users of faster technology are basically: 
gojng nowhere* ox "running" nowhere fast, afs is commonly stated in the network 
industiy; ; .-* : V/3i:- / '--li* . ^ \ >\ 1 : ' ' , 

r\ FrO.itt jhe^boye, it is seen that a technique for improving the use of a 
wide area j&twojk is highly desirable! , 

o* v^lutnsXc 3ir:h*l-> w-SJUMMARY-OE THE INVENTION* .* . : ". 
ncir : - Th£ prfc;sentJnVerition relates to a technique, including a method and 
' , system, for ptoyi^ng more' quality to telecommunication services. More particularly^ 

thexpresent invention relates to quality of service management using a novel traffic 
mpnitoring technique. The present monitoring technique is predominantly software 
based, but is not limited to such software in some embodiments. 

In a specific embodiment, the present invention provides a system with a 
novel graphical user interface for monitoring a flow of information coupled to a 
n^twork^of computers. .The user interface is provided on a display. The display has at 
least a first portion and a second portion, where the first portion displays a graphical 
chart representing .the.flpw of information^ The second portion displays text 
informati9i^ descr5bing aspects of the flow .of information. The combination of the first 
portion and- the second pbrtion describe the information being profiled. 

In an alternative specific.embodiment, the present invention provides a 
O novel computer network system having,a real-time bandwidth profiling tool. The real- 
time bandwidth* profiling tool.has a graphical user interface on a monitor. The 
graphical user interface includes at least a first portion and a second portion. The first 
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portion displays a graphical chart representing the flow of information. The second 
portion displays text information describing the flow of information. The combination 
of the first portion and the second portion describe the information being profiled. 

In still an alternative embodiment, the present invention provides a novel 
bandwidth profiling tool. The present bandwidth profiling tool, includes a variety of computer 
codes to form computer software or a computer program, which is stored in computer memory. 
The program includes a first code that is directed to measuring a data rate fox; a flow 1 of . , ■ ( 
information from an incoming source, wliich is coupled to a network of computers . The j 
program also has a second code that is directed to categorizing the data.rate from the flow of 
information based upon at least one of a plurality of traffic classes and a third code that is . 
directed to outputting a visual representation of the data rate in graphical form on a display. A 
fourth code is used to direct the outputting of a text representation of the one' of the plurality of 
traffic classes on the display. The present invention has' a variety- of other codes to 
perform the methods described herein, and outside the present-specificStiom' ^ -v- -1 :: ' 

Numerous advantages are achieved by way E of the present indention over pre- 
existing or conventional techniques. In a specific embodiment, the present invention provides a 
single point or a single region to manage telecommunication traffic including directory services 
and bandwidth management. Additionally, in some, if not all embodiments, the present 
invention can be implemented at a single point of access such as a computer terminal or 
firewall, for example. Furthermore, the present invention can be predominately software based 
and can be implemented into a pre-existing system by way of a relatively simple installation 
process. Moreover, the present invention provides more valued applications and users with a 
moire reliable and faster service. Less critical applications arid users are provided with a 
service level that is appropriate for them in some embodiments. In most embodiments, 
available bandwidth in a system is fairly shared between equally prioritized users (e.g., no 
user can monopolize or "hog" the system). Still further, link? efficiency improves due to 
overall congestion avoidance in most cases; Moreover, the present invention implements its 
traffic management technique using a simple and easy to use "rule" based technique. These and 
other advantages are described throughout the present specification; and more particularly 
below. ,; • • ' "-"'-^ - : ' : *"""''' 

Further understanding of the nature ^nd advantages of the invention may be 
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realized by reference to the remaining portions of the specification, drawings, and attached 
-documents. - i - : • , • ,v,s i ■*:.,- . ,-. . ■ 

■ , BRIEF DESCRIPTION OF THE DRAWINGS . 

/ / Fig. 1 is a simplified diagram of a system according to an embodiment of 
the presentiinventibn; ■ ■■, ; , 1 <; " t / ' , 

* «. Fig.: 2 is a simplified block 'diagram of system architecture according to an 
embodiment of toe present invention; * r V 

/! * ; Fig>;3 Js a simplified diagram of a traffic management cycle according to an 
embodiment of the present invention; 1 1 : 1 v 

/c : rr Figs". 4r7 are simplified diagrams of systems according to various embodiments 

. i i ■ , .i 

of the present "invention;": ■ . : ^ 

o ^oc ,j KgL, 8 ls.a^simplified .flow diagram of a rule-based control method according to 
the presenlfinye^pnj an<Jrt? i^ : ; ; : . 1 : ' • 

o:q -a so rioi.'FigSiT^lS^arp: simplified representations of graphical user interfaces for ^ 
> ^notoiiecingi traffic ace^rding'to the present invention. 

ii; . ,;t DESCRIPTION OF SPECIFIC EMBODIMENTS - 
f :* * An embodiment of the present provides integrated network service 
policies for firewall platforms, as well as other platforms or gateways. Specifically, the 
present invention provides network or firewall administrators with the ability to 
implement policy-based schema for security and resource management on firewall 
platforms. In,a specific embodiment, resource management includes Network Quality 
of Service (QoS) or "bandwidth" management techniques; In an exemplary 
embodiment, the present invention provides tools;for monitoring traffic for bandwidth 
management, as well as other functions. ( r 

Network QoS occurs by managing the resources that serve network 
application, traffic, for example. This typically includes the following resources: link 
bandwidth, application server bandwidth (CPU), and buffer space on generally all nodes 
(end-points, routers and gateways). Typically, data through-put is limited by the speed 
of Internet access links and by the server- CPU, capacity i and response time is 
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determined by the number of hops in a route, physical length of the route, and extent 
of congestion in the route. There are various other factors that may affect t QoS, ;such as 

the behavior of TCP/IP, severe congestion anywhere in the route, prioritization of 

• ; : - , ■• ••' . < ! i 1 ;'' ' 

traffic along the route, etc. To a network; administrator, embodiments of the present 

invention provide discrimination of different traffic types and provide methods for 

enforcement of traffic flow by management to the above resources. , 

DEFINITIONS • .'J • = . ' ' ■ I V.v*' ' ^ 

In the present invention, it may assist the reader to understand some of 0 
the terms described herein. These terms have been briefly described bielow. These ' 
terms are merely examples and should not unduly limit the scope of the claims herein. 

1. Traffic Management: A set of -techniques or imechanisms including 
policies that can be applied in a network to manage limited network resburces-such ks : 
bandwidth and the like. These techniques are intended to improve ovferairnetwork r 
performance and efficiency. They are also intended to provide for more predictability 
and orderliness in the event of network congestion. The techniques should also isolate faults 
and provide visibility into performance problems. Additionally, they should meet the diverse 
user and application requirements as per an organization's business goals. Furthermore,, 
traffic management is intended to increase the "goodput" traffic, based on the economic value 
and prevent the abuse of network resources. . 

2. Quality Of Service (QoS): The concept of Quality of Service (QoS) 
has been analyzed and discussed for a number of years in the networking industry, ^ and was 
previously associated mostly with ATM technology^ In a more generic sense, QoS describes 
the performance specifications that an application requires from the underlying infrastructure. 

Otherwise, the application will not run satisfactorily . Some ! applications are designed to run 
in a best-effort mode and can adapt to available bandwidth. Others are extremely sensitive to 
delays. Still others can produce . large .hursts in traffic . which affects other applications while 
providing little perceptible improvements to the end-user. QoS specifications are closely — 
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associated with the expectations and perceptions of end-users and the organization they are 
partof. - . .. .,- . ... . i, ., <'.',.,' • , 

; - • • /"V v " * ' • v / . ' ' V ' . 

3. Bandwidth: Bandwidth usually refers to maximum available bit rate 
for a specific applications In a specific embodiment, synchronous, interactive, and real-time 

applications, which are .bandwidth-sensitive, can require minimum bandwidth guarantees, and 

I ■ 1 ' • ' ' -i 

can require sustained and burst-scale bit-rates. On the other hand, network administrators i 

! i 1 * 

may want to limit bandwidth taken by non-productive traffic such as push- technologies like 

PointCast and others. Even though bandwidth may be allocated for specified applications, it 

d&esjiot mean that these applications may be using that bandwidth. Therefore, a good policy 

should bp to enforce! when there is competition and demand. 

4. Latency: Latency 'generally refers to the delay experienced by a packet 

i 1 
^pm^the.$ou£Cfe:t^ requirements are typically specified as meari-delay 

and xyprst case:delay;5n: some cases; Real-time audio/video applications such as, for example, 

DNS, HTTP; and< TELNET ^e delay sensitive. Delay is a result of propagation delay, due 

to physical* toedium *and queuing at intermediate nodes such as routers, gateways, or even ^ 

servers. ;A certain^rtion of the delay can be controlled by how the queues are serviced at" 

the intermediate nodes, and by controlling congestion at bottleneck points. Some examples*bf 

delay measures are packet round-trip delay and connection response time. 

5^ Jitter: Jitter generally refers to variation in delay (e.g., that is, the 
delay is not constant for all packets of a given flow) for a particular application. Real-time 
applications require a, worst case jitter; Applications such as real-audio and video do some 
advanced -buffering; to overcome any variation in packet delays - the amount of buffering is 
determined by the expected jitter. * 

6. r .Packet Loss: Packet loss is a loss in a packet or a portion of packets 
that is generally caused by failure otnetwork elements (e.g;, routers, servers) to forward or 
deliver packets. Packet loss is usually an indication of severe congestion, overload of an 
element,, or element failure (e.g./jf a. server is down). Even if the packet was not dropped 
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but just delayed, protocols and applications can assume it was lost. Packet loss can cause - 
application timeouts, loss of quality or retransmitted packets. Packet loss is usually specified 
as a rate (e.g., a real-time video application cannot tolerate lpss of more than one packet for 
every 10 .packets sent). Indirect results of packet loss may also be measured (e.g., connection 
retries or data retransmits). ^ 

7. Guarantees: An extreme example of a guarantee is to partition ; u i 

bandwidth so that it is hot available to other entities. Guarantee also means/a share of the ; 

t .... - |? 

resource, e.g., minimum bandwidth or maximum, latency. i / V ~ v : t v & 

8. Best-effort: Best-efforts describes a service on best^ef fort basis but i 
makes no guarantees. • a ; ; 1 

9. Limits: Specific physical or theoretical limitation on a ; resource su^^ 
bandwidth. Resource utilization or admission ;is liniited under certain conditions. «?oy^ 

10. Priority: Level of importance for a specific user, application; or data. 
Create a priority scheme among different entities so that contention is resolved or service is 
provided. 

11. Traffic Profiling: Profiling is intended to be defined, as cumulative ; 
details of traffic flows for each active client, server, or application without application of any 
rules. This includes bandwidth, response time, and failure related statistics. Profiling is 
intended to provide long term cumulative snapshots of traffic for captacity planning or setting 
traffic rules. • ; . ;■ . ; - ■ * r ^'\ • : ■ . ^ -' - ,3 ' 

The above definitions are merely intended to assist, the reader in understanding some of the 
terms described herein. They are not intended, in any manner, to limit the scope of the 
claims. One of ordinary skill in the art would; recognize other variations, modifications, and 
alternatives. .• ■ ;.v.v;- " .■■•*:.:■■..; " : : - ' 
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SYSTEM OVERVIEW , } • ■ 

Fig. 1 illustrates a simplified system 100 according to an embodiment of . 

the present invention. The system 100 is merely an illustration and should not limit the 

scope of the claims herein. One of ordinary skill in the art would recognize other variations, 

modifications, and alternatives. The present invention can be embodied as a Traffic Ware 1 ^ 

, firewall server 1 10 from Ukiah Software, Inc, but can be others. Systeiri 100 typically 

• . • ' i '.■ • ! : ' 

includes ; a file; server 120, arid a plurality of computers 130-150, coupled to a local area 

network (LAN) 160, and other elements. Firewall server 110 includes a typical connection to 

a wide area network (WAN) 170 and to a remote LAN 180 (such as an Intranet) and a typical 

network connection 190 to the Internet 200.' Attached to Internet 200 are Web servers 210 

' and other computers 220. - ■;■ 7 1 

As illustrated, computers such as computer 130, 140, and 210 communicate 

using any one or multiple application layer protocols such as Telnet, file transfer protocol 

z: (FTP), Hypertext transmission protocol (HTTP), and the like. Further, communication v ~ 

across WAN 170 and across network connection 190 implements transport layer protocols^ 

such as transmission control protocol (TCP), universal data protocol (UDP), and the like. 

1 , LAN 160 and LAN 180 are preferably based upon network protocols such as Internet ^ 

protocol (IP), IPX from Novell, AppleTalk, and the like. As shown in Fig. 1, network * 

connection 190 may be accomplished using Tl, ISDN, Dial-up, and other hardware 

connections. Computers 120-150 and 210-220 may be any suitable make or model of 

computer that can be coupled to a network. The system can also include a variety of other 

elements such as bridges, routers, and the like. 

: " In an alternative specific embodiment, the present invention may be applied to 

,a system with various links accessed in servicing a browser request at a remote web server. 

In this embodiment, a client could be dialing in via a 28.8kbit dial up modem to a local 

Internet service provider (ISP), where the ISP may be connected to the Internet by a Tl link. 

A-web server maybe on a 10 Mbs Ethernet LAN, which is connected to another ISP via a 

56 K frame relay. The web server's ISP^may be connected to its carrier via a T3 line. The 

client ISP carrier and the server ISP. carrier may both be connected hy an ATM backbone or 

the like. Because of this asymmetry in this embodiment, any traffic management solution 

should take into account these variations including traffic speed and data format described 
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above. Moreover, simply upgrading the capacity of a link, in the access path, may not offer a 
viable solution. This present embodiment may have the bandwidth requirements sho\yn by 
way of Table 1, for example. 1 ; 1 • - 



Table 1: Bandwidth Requirements 


•■ , - . . ' : , , 


Users 


Bandwidth ' 


Service Offered v Zr. , " < 


Internet developers, individuals, 
international locations where bandwidth is . 

y n f*ri <n v£ 


Zo.o lO DO JVDpS 


L'lal Up DC1 Vit^d* IJl^l^ 


Small to medium-sized organizations with 
moderate Internet usage 


, 56 Kbps to 1 .5 Mbps- - - 


Fractional TI, frame relay 

■ ! 


Medium sized organizations with many 
moderate users, smaller organizations 
requiring huge amounts of bandwidth 


1.5 Mbps 


• Dedicated 1 TI' circuit 1 -' 1 \ 


Standard bandwidth for Ethernet-based 
LANS 


. ; . ; V ' ' j * ? "I ""' J 

10 Mbps - - — — : 


Ethernet;- token ring (4 Mbps 
or 16 Mbps) ^ 


Bandwidth usage for large organizations or 
Internet backbones 


.45. Mbps 


Dedicated^T3, circui| ; r j 


Huge bandwidth LAN backbone usage for 
medium to large organizations (hundreds or 
thousands of users) 


100 to 1.000 Mbps . 


Fast Ethernet, gigabit ^ •,. 
Ethernet" 4 



As shown above, there exist a large number of diverse applications aiid protocols that are 
widely used and have their own performance requirements. For example, applications such 
as mail (e.g., SMTP) and news (e.g., NNTP) are not interactive and are therefore not ■' * 
sensitive to delay. On the other hand, applications such as real-time conferencing are 
extremely sensitive to delay but not to packet loss. Applications such as TELNET and DNS 
do not utilize significant bandwidth, but are sensitive to delay and loss. Conversely, 
applications such as FTP consume a great deal of bandwidth but axe not that sensitive to 
delay. Generally, network applications can be categorized as: ; : : ; 

1. Interactive (e.g., delay sensitive) versus non-interactive (e.g., delay 

. tolerant); , '"' ■ •; Z.'i'V* - ■ • - : - 1 ■ • -•*■ ■ 

2. Bandwidth intensive (bulk data) versus non-bandwidth intensive; and ' 
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3. ' 5 Bursty versus non-bursty. 11 
These categories are merely illustrative and should not limit the scope of the claims herein. 

Additionally, some application requirements are dependent on the context of use and the 

• '* ' < ■ ■ ' ' 

nature of data being accessed. Such applications can be described as being nominally 
interactive or nominally bandwidth intense. This means the description applies to many but 
_ not all the situations in which they are used. ; ' 

~ ' i • • . ■" ■ / ■ ' - » \ 

L. .1. . ^ ^merely an example, Table 2 provides some illustrations, for these ! 
categories,. , j : ■ -j • ' • ! : \ ,'; •', ' f ' 

ft • i : ( 

i; ' ■ ' ' I' ' .' ' '. ; ' '! 



Application- Class 


Examples 


Lowrbandwidth,~delay ~ 
sensitiverihighly; interactive j 


DNS. PING, TELNET, CHAT, 
COLLABORATION 


HigFbandwIdth, delay sensitive' : 


Real-time audio and video 


High^aridwiidtH^ hominally„interactive 


Web service requests, file downloads 


Ndh-iMaaive fi ^" ■ 


Mail and hews 



Table 2: Applicatfon Spectrum 



As shown in Table 2, low-bandwidth, delay sensitive, and highly interactive applications 
include^ among others, DNS. PING, TELNET, CHAT, COLLABORATION. High 
bandwidth and d^lay seijsitive applications including at least real-time audio and video. 
Additional applications for high; bandwidth and nominally interactive, or non-interactive have 
also been shown. Again,,- these applications are merely provided for: illustration and should 
not limit the scope of the claims herein. / 

L : . The present invention can also be used with a number of various files. For 
example, a number of common applications, such as FTP and HTTP, can handle a wide 
variety of files. The file types being transferred and downloaded place different demands on 
the underlying infrastructure. Index and HTML files take up limited bandwidth but have very 
mundane contents. On the other hand, GIF, JPEG and MPEG, RA and AVI files take up a 
lot mc>re bandwidth but provide a rich multimedia experience to the end-user. In fact, push 
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technologies such as PointCast basically download rich-multimedia bandwidth-intensive files. 

The present invention can also be used with a variety of user requirements: 
For example, networks are facing ah explosion in the number of (inter) networked 
applications and data accessible through them; Network resources are increasingly being 
used for a wide variety of purposes, ranging from business critical to personal.' This means 
that policies must ensure that scarce resources (e.g., Internet bandwidth) are utilized with the 
goal of maximizing the returns to the organization! These benefits can come from direct 
revenue generating activities or from improved productivity (or reduced loss of productivity). 
As shown in Table 3, for example, at a mythical company called "Shebang Software Inc." 
the highest bandwidth priority has been allocated to technical support. However, there is no 
hard and fast rule. As with security policies, decisions should be consistent with the needs of 
the organization • : " >h J.' r : •- v v . 



Table 3: Shebang Software User Priorities 




Users 


Application Class [: , 


. Reasons 0 . y - ■ t 


Technical support 


Mission critical " 


- Needs most bandwidth to deal with * 
customers who, need assistance - ] 


Sales and marketing 


Critical 


Needs bandwidth to deal with 
potential customers. Answer 
inquires, ,make quotes, transmit 
multimedia presentations 


Upper management and middle 
management, administrative 


Casual , 


Needs bandwidth to perform tasks . 
necessary to run the business 


Development and manufacturing 


Personal 


- Needs bandwidth to send.e?mail M 
subscribe to Push technologies . . 



The present invention takes into account, in one or more embodiments, the 
factors which are described specifically above. Although the above has been generally , , 
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i 

described in terms of a specific type of information, other types of information on a network 

can also be used with thepresent invention. Additionally, the present invention { has .been 

described in general to a specific system. For instance, the present bandwidth management 

tool can be applied at a network's Internet access link. Alternatively, the present tool can be 

applied to a private WAN link to a remote corporate site or an access to a server farm (e.g., a 

group of servers located in a special part of the network close to an access link, e.g., in a web 

hosting environment). Alternatively, the present invention can be applied to key servers' i 

If 1 1 • 

(e.g. ^ database/web: server) within an organization servicing internal and/of external users. 

Furthermore,, the present bandwidth management tool can be applied to any combination of 

I. * - . ■ ! 

the abqvs ot. the like. n >v . ' * : , 

; -utM f ..j a:i Fig/K 2 4?, a simplified block diagram 200 of details of system architecture 
according to an embodiment of the present invention. The block diagram is merely an 
illustration and should not limit the scope of the claims herein. The architecture includes a 
jivariety"of layerT&areacih interface to each other as depicted by the layers. The system ; 
'includes a4ietwork-layer«211, which interfaces to incoming and outgoing information to the 
I^^P?^. *^ T ] ie .l^^jJi^^y^PP 5 : of a variety including, among others, Ethernet and Token 
;|Ring.i ? A physical layer : 209 is disposed above the network layer 211. The physical layer-can 

I! ' 

foe personal computers^ which are commonly called PCs, or network interface computers, 
which are commonly called NCs, or alternatively workstations. As merely an example, a 
personal computer can be an IBM PC compatible computer having a , 586-class based 
microprocessor, such a Pentium™ from Intel Corporation, but is not limited to such a 
computer of processor. An operating system ("OS") is used on the computer such as 
WindowsNT™ from Microsoft Corporation^ but can also be other OSs. The system is also 
fcoupled to a graphical user interface ("GUI") 201 and is coupled to directory services such 
as, for example,~LDAP, but can be others. - A detailed discussion of directory services is 

described in U.S. Application Serial Nos. • (Attorney Docket Nos. 18430-1- 

il, 18430-1-2, 18430-2-3) which are commonly assigned, and hereby incorporated by 
reference for all purposes. 

Directory services 224 and GUI 201 couple to ain application programming 
interface ("API") 223/ The API is coupled to a traffic management or bandwidth 
management tool 208 with at least three modules, including a policy engine module 231, a 
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FAST module 229, and a FAIR module 227, which will be discussed in more detail below, 
but is not limited to these modules. The bandwidth management tool 208 can be 
predominantly software based and is substantially free from any significant hardware or : 
software changes in the network. In a preferred embodiment/the bandwidth management 
tool 208 can be loaded onto a server without any changes to hardware. Iii an alternative 
preferred embodiment, the tool can install, configure; and operate on a conventional IBM 
compatible PC running and operating system, such as, for example, ^ Wihddws'NT, but fean be 
others. The topi can be deployed at any appropriate point in the network data path. The tool 
can also be stand-alone at the WAN access point (e.g., behind the lnternet iaccess router or — 
behind a firewall), with a conventional firewall or with an NT based proxy /caching server Or 
application server (e.g., a Web server). 1 

Tool 208 performs incoming and/or outgoing management of information over 
the network of computers. In a specific embodiment, traffic mana^enieht tool 208 performs 
inbound and outbound monitoring arid control of flows by applicatioh^source address, - ' 1: 
destination address, URL, time of day, day of week; day of month, and other Variations/^ tt } a 
specific embodiment, tool 208 also monitors, controls; : ^d produces reports- and alarms; - 7 
which can enhance a whole spectrum of traffic monitoring and control activities ranging from 
bandwidth/latency control to capacity planning. ; - -.i • - 

In a specific embodiment, the bandwidth management tool adapts to "real" 
changes on any pre-existing networking system. For example, network infrastructure 
management involves a continuous process of monitoring, reporting, and deploying changes 
to match network growth or changing needs in a growing office, for example. These changes 
exist at various levels and time scales. As merely examples; the network changes can be to 
enforce a QoS Policy for a critical service, add WAN bandwidth, segment the network^ 
upgrade a router, choose a guaranteed service level for a web site (e.g.; user's own wet site), 
or notify "Mr. Hog" (i.e., a user occupying too much bandwidth) that he should schedule ; his 
large personal downloads at more prudent times such as late at night, for example. 

BANDWIDTH MANAGEMENT PROCESS 

The bandwidth management tool can employ these changes using, for example, 
the process shown in Fig. 3. This process is merely and illustration and should hot limit the 
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scope of the claims herein. As shown, Fig. 3 is a simplified diagram 300 of a traffic 
management cycle according to an embodiment of the present invention., ; The traffic, 

. 1 . , ■ . \ '■ ' *! ■ ■ : * 

management cycle is depicted as a continuous cycle, which includes a monitoring phase 301, 

* ! ' . ■ v V • 

a creating/applying policy phase. 303, and a reporting/alarming phase 305, but is not limited 

to these cycles. That is, these cycles can be separated or combined depending upon the 

application. By-way of this cycle, the tool can adapt t to' any changes to the networking system 

according , to the .present invention. ; . vi ' : , i ! 

\.i< < i.r' f .c-In an aspect of the present invention, the present tool can monitor and control 

actiyities.at various, -times,, e.g-. ..seconds; days \ weeks, months, years. Some details with 

regard to these control activities are shown belowunder the headings. 

' • ! i ' 

• t ' ' ' 

\y j : !• rSecondjto second . 

rr ,h r : x ''-^rTh^tpoVjrQyides second' to second time scale monitoring and control of 
incoming ^d^outgoing jftafficpyer the network- As merely an example, the tool ensures that 
^critical or more ^mportagt traffic gets a right of :way during traffic bursts and provides - 
bandwidth: enforcemeqt) ^Multiple users of- the network at a specific time can cause the traffic 
burst. .Alternatively, multiple sessions on the network at a specific time can cause the traffic 
burst. Once the traffic burst is detected, the tool has a control device, which provides : 
bandwidth enforcement to ensure that the more important traffic gets through the network^ 

2. Daytodiay : 

. . * The tool-provides day to day time scale monitoring and control of incoming 
and outgqingtraffie over the network. As merely an example, the, tool manages time of day 
congestion, and-respqnds to mtermittent problems or perceived problems. The tool generally 
deals with problems or limitations that are very specific and isolated to particular users or 
particular [services at particular times that.need to be tracked down quickly. 

3. Week to week 

The tool provides week to week tinie scale, monitoring and control of incoming 
and outgoing traffic over the network. : The tool analyzes traffic usage performance patterns, 
whaj services or hosts are. active on the ; network^ and troubleshoots chronic.problems. In 
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particular, the tool looks at aggregates, such as a particular segment of the network, and 
compares Websites or compares groups of users for usage of bandwidth and frequency of 
usage. ■ ( : ' v ' 1 

4. Longer term activities ; :.: ~ 

The tool provides long term time scale monitoring and control of incoming and 

outgoing traffic over the network. The tool implements changes in. organizational priorities;; 

• I- • ; " ■ ' " • 

in billing. The tool also provides service for new applications as they are introduced, and ; 

provides for capacity planning for network resources. The present tool can also bejused with 

network stress testing tools to obtain detailed analysis of flows and traffic behavior ..:'V;':rf 

with/ without policy enforcement before a ne>v application is deployed to change the network 

infrastructure. . r^; . - : 

Based upon the above description, the present tool can be used to monitor and control 
incoming and outgoing traffic over a variety of time frequencies. ^Th^timejjfrequencies 
include second by second, day to day, or long term,: and combinations thereof, -depending 
upon the application, Of course^ the time frequency used depends upon the particular < ; " 
network and applications. - : - • 

Figs. 4-7 are simplified diagrams of. systems according to various embodiments 
of the present invention. These diagrams are merely illustrations and should not limit the 
scope of the claims herein. One of ordinary skill in the art would recognize other variations, 
alternatives, and modifications. These systems show various deployment scenarios according 
to the present invention. 

1, Internet Service Provider (ISP) 

Fig. 4 is a simplified diagram 400 of the present tool in an ISP environment 
according to the present invention. , The diagram,400 includes a variety of elements such as 
an ISP LAN 401, which is coupled to network elements including a remote Access 
concentrator 403, a web server 417, an FTP server 415, a router 413, a news server 411, and 
others. The tool 405 is coupled between the ISP LAN and router 407, which is connected to 
the Internet 409. . In this embodiment, the ISP is providing a number of services to its ' 
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! ' 

customers and the present tool sits by the Internet link and manages inbound and outbound 
traffic. . . - : M . r, ' • , 

2. Web Hosting Deployment 

Fig. 5 is a simplified diagram 500 of the present tool in a web hosting 

environment according to the* present invention. The diagram 500 includes a variety of 

elements such as a LAN BackBone 501, j which is coupled to network elements including web 

if . . * 

servers 503, 511, 513, and others. The present tool 505 is coupled between LAN 501 and 

: r « •' 

rOuter, 507, which is connected to the Internet 509. In the present embodiment, the tool is 
being used ; to manage inbound and outbound, traffic between some Websites and the Internet. 
In a specific embodiment, most of the data being transmitted is multimedia-based, but is not 
limited as such data. 

■ i , •' • . 

i 

1 I 

l ■: :. rt "c3.ijs i : End-User Deploj^nent : ' 1 : 

r . vj r )Fig$& issa simplified diagram 600 of the present tool in a campus environnfent 
according to the present invention. The diagram 600 includes a variety of features such as a 
campus ; network<60.1v which is ; coupled to network elements such as a desktop PC 603, a v 
UNIX computer 617, an NT Server 615, a web server 613, directory services 611, and 
others. A bandwidth management tool 605 is coupled between campus network 601 and * 
router 607, which is coupled to Internet 609. In this embodiment, a LAN or WAN supports a 
number of different setups and configurations, which are compete for bandwidth to access the 
Internet. The present tool acts as an arbitrator for implementing rules, enforcing policies, 
and setting admissions for classes, as well as perform other acts. 

- 4. Private WAN 

. Fig. 7 is a simplified diagram 700 of the present tool deployed for a large 
corporation that has an Intranet as .well as an Internet. The diagram 700 includes a variety of 
elements or "children" such as a connection to Frankfurt 715, a connection to London 713, a 
connection to Hong Kong 717, and a connection to Paris 719. Each connection or child 
includes a router 705 A, E,. D, C, and the, present tool 703 A, E, D, C, which is coupled 
between the router and the hub ("HQ"). .In a WAN-based environment, for example, HQ 701 
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is the hub that handles a number of independent systems (e.g. , Frankfurt,, London, Hong 
Kong, Paris), which can be LAN-based. In this embodiment, the present tool 703B also sits 
by the Internet 711 and is used to allocate bandwidth between the competing children, e.g., 
Frankfurt, London, Hong Kong, Paris. Router 705B is coupled between tool 703B and 
Internet 711. , 

Although the above descriptions have been made in terms of deploying the 
present tool in selected environments, the present tool can also be deployed in other 
environments. For example, the present tool can 1 be deployed in any combination L of the : 
above. Alternatively, the present tool can be deployed in any portion of the above - ; ' 
environments. Of course, the type of environment used by the present tool depends highly- 
upon the application. ; , ... , .. > ~ ' T 

In a specific embodiment, the tool provides an easy to use interface or r - 
graphical user interface ("GUI") for performance monitoring and profiling (e.g., accountihg). 
Profiling can be based on active services, clients and servers, among other parameters. 
Additionally, profiling of the network can be started as soon as^ the tobl is installed into the 
server of the, network. Accordingly, the tool provides immediate accounting and service 
measurement on a variety of QoS measures. » ' A - ^ ^ ^ ; • 

In a specific embodiment, the present tool generally uses two mechanisms to 
implement efficient traffic monitoring and traffic control. These mechanisms include 
processes performed by the FAST module and the FAIR module, which are shown in Fig. 2, 
for example. Additionally, the present tool uses a policy engine module 231, -which oversees 
the FAST module 229 and the FAIR module 227, Some details of these modules are 
described as follows. 

1. FAST Module (Flow Analysis and Session Tagging) 
The FAST module generally provides for monitoring of incoming and outgoing 
information to and from the network or link. Flow Analysis and Session Tagging ("FAST") 
implements rich, application level traffic classification, and measurement. This operation is 
accomplished without introducing slow data paths to minimize latency and maximize overall 
throughout of traffic through the tool management engine. As shown in the Fig., the FAST 
module provides for classification 203 of information such as parameters 213 including 
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application, presentation, session, transport, and network. The FAST mddiile also provides 
for measurement 219 of various parameters. The FAST module is coupled to the API. 

2. , FAIR Module (Flow Analysis and Intelligent Regulation) 
The FAIR module generally implements traffic control and manages bandwidth 
of incoming a^id outgoing information to and from: the network oi link. Flow Analysis and 
Intelligent Regulation ("FAIR") implements traffic control based: on a combination of flow 
control ^d queuingr algorithms. FAIR'S objective provided inbound and outbound traffic 
management. for meamngful time intervals, reducing the load on packet classifiers and packet 
schedulers^ The FAIR module controls 205 incoming and outgoing information to and from 
1 the network. Additionally/the FAIR module controls f 205 by parameters 215 such as class, 

session, bursty packet , and others.: The FAIR module also controls time 217 of allocating 
ban^id&ffop^tl^s&paraineters. ^ The FAIR module is coupled to the API.: r 

-sd* '>■;?; :r.;i;^ni u Policy Epgine Module . : r; ■ 
c:u i .-The policy engine module 231 oversees the FAST and FAIR modules. The . 
engine module also interfaces with the API. In an embodiment, the policy engine module ' 
includes a security policy 201, a traffic policy 202, and other policies 221. The security 
policy provides parameters for securing the present tool. The traffic policy defines specific 
limitations or piarameters for the traffic. 

Some definitions about the various modules have been described above. These 
definitions^are not intended to ;be limiting. One of ordinary skill in the art would recognize 
other variations, modifications, and alternatives. Additionally, the modules described are 
generally provided in terms of computer software. Computer software can be used to 
program and implement these modules, as well as others.- The modules can be combined or 
Ir even, separated, depending upon the applications. Functionality of the modules can also be 
combined ,with hardware or the .like. In a specific embodiment, the present modules are. 
implemented on an WindowsNT™ operating system,; which has been developed by Microsoft 
Corporation. Of course, other operating systems can also be used. Accordingly, the present 
modules are not intended to be limiting in ; any manner.- \. ; 

In an embodiment, the present tool can be configured based upon at least the 
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following components - traffic classes, traffic policies, traffic rules, and traffic entities. Some 
information about these components are described below. ■ 

1. ' Traffic Classes. *{)•,- ' ; v.- !: ' 

The present tool identifies data flows at a network site based on traffic classes. 
A traffic class is any combination of the following, but is not limited to theseii 

IP address, subnet, network, netgroup, or range of source or. destinatipn; 
URL of the sender or group of URLs; ; ; ^ : 

Service (e.g. , HTTP, FTP) or groups of services; — • 

FTP and HTTP, file typek can be selected as well; 

Time of day, day of week/month; and ; ; ?<\ 

Inbound and outbound information. , :r: .*:*: ^; ;si -ia 

As shown above, traffic classes are directional. Traffic classes configured for iriboUnd ^affic 
are managed separately from traffic classes; configured for outbound traffic,* For example, the 
present tool may decide to guarantee a minimum: bandwidth to critical traffic' so that it is:not 
affected by congestion from large downloads. Additionally, the present tool may want toil 
monitor Push traffic for a while and then choose to limit it if it is perceived as a problem. ?i j 
Traffic classes can also be for measurement only or for ..control and measurement in some x, 
embodiments. These are merely examples and should not limit the scope of the claims herein. 

2. Traffic Policies r .-, 
Traffic policies are generally mechanisms used to control the traffic behavior 

of specific classes. In an embodiment, the present tool can configure policy properties which 
provide, for example: / . ^ ; ~ - . : : 

^ : Bandwidth guarantees - granting classes a minimum bandwidth in the presence 

of congestion or competition; , ; r ■/ : ' ; : ;\ 

Bandwidth limits - establishing a limit on the total bandwidth used by the: class; 
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Setting priorities - establishing a priority order for bandwidth limiting or 
servicing traffic from a class. (That is, high priority classes are serviced first . 
and are affected the least during contention for bandwidth. Lower priority 
classes are serviced in order of priority and may be more affected by 
congestion or contention); , * 

• J -I ' t ' . ■ ( I * 

Admission control- establishingi conditions under which a new network session 
or service, request is admitted or not admitted. (This kind of policy establishes 
a broad bandwidth control or service quality for sessions already admitted). 

■ 1 - v . ■ ' ' , • V * * ' ' . 

As shown, the present invention provides policies such as bandwidth guarantees, bandwidth 
limits, setting priorities, admission control, and others. It may assist the reader in 
understanding some of the terms used in the policies by drawing an analogy with a r 
^geographical highway ^for automobiles.' For exampte, bandwidth relates to how fast one can 
^0,(e.g.^fast or sloiv lane) once a user has entered the stream of traffic on the highway. That . 
isv-the physical limit for speed in the specific lane chosen; Priority is analogous to how 
quieklyrthe user is able toventer the highway and move into a designated lane, and how often 
the user jhay rhave to temporarily give way to other vehicles during the drive. Admission - 
control is analogous to the metered lights at the entrance of the freeway where one is mad^to 
wait linderccertaiii conditions. Of course, depending upon the applications other analogies 
can be used to explain the policies. Additionally, the policies are merely examples and 
should not limit the scope of the claims herein. 

3.* ■ Traffic Rules. - 

A rule generally includes a traffic class and a policy associated with the class. 
A class can have several policies that apply at different time intervals. 'Rule' is also used to 
refer to the policy or to a specific row in the present tool user interface. The present tool 
user interface is described in, for example, U.S. Application No. - (Attorney 
Docket No. 18430-000300, commonly assigned, which is hereby incorporated by reference 
for all purposes.) 7 ■ : s .7 . 7 7 , 
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4. Traffic Entities 

The present tool refers to entities in at least two different contexts: defining 
traffic classes and viewing traffic profiles. For example, a network entity generally, refers to 
an IP address, host, subnet, IP net, IP range, URL or a group of other network entities. A 
service entity refers to a single service or a group of services. A native entity is referred to in 
viewing traffic profiles. No rule setting or configuration is Tequired to monitor these entities \ 
When the present tool is installed, it begins to profile traffic based upon detected seryiceS j - 
clients, or servers, all of which are calleJi native entities. ^ : ; ; 

5. Guidelines for Developing Traffic Policies 

The present invention provides some guidelines for developing: traffic policies. 
For example, to develop meaningful and effective traffic policies, the 1 present tool may need 
to understand and take into account one or more of the following: - > rr : 



• The kind of business being performed by the user over the 
Internet. If the user is an ISP, the user may need to develop a 
business/pricing model that leverages the features of the present 
tool. If the user is managing corporate access to the Internet, 
the user may want to identify any business critical services being 
provided over the Internet ; ^ ;,v 

• The priority of clients, servers and URLs hosted in the user's 
network observers access over the Internet.; This can be • 
organized as business critical, casual and personal. " 

• The properties of different applications being used, whether they- 
utilize lots of bandwidth or not. The user may also need to 
account for the type of files commonly download by users of 
from the Web site. - 

• Measure and analyze traffic using the present tool's profiles.- * ' 
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Additionally, monitoring of selected entities (e.g., users, , ' 

. . services) may also be useful. ; - ■ . ■<■ . i 

. : In a further embodiment, the present tool provides some general guidelines of 
some commonly used applications. These guidelines should be used in conjunction with 
business driven priorities - traffic profiling, and selective real-time monitoring to establish an 
effective traffic.policy . -Selected guidelines are defined as follows, but are not limited to i 
these. • * ; ■ ■ : ' - \ 



r 



Delay-sensitive low bandwidth applications, such as TELNET 
:rand DNS, are, controlled best by setting a high priority policy. 
The present, tool can give the highest priority to all network 
control traffic; such as QoS signaling, session establishment, 
domain lookup and routing protocols. 

i 

Streaming multimedia applications, such as Real Audio/Video 
and Yxtreme, can hog allot of bandwidth but are also delay and 
bandwidth sensitive. If they are not critical, they are controlled 
best by setting a high priority and a policy to limit admission of 
sessions so that bandwidth use is capped but admitted sessions 
have a reasonable quality. 

Push technologies, ;such as PointCast and Marimba, download 
large files, are, not delay .or bandwidth sensitive and usually not ■ 
business critical. They are best controlled by a limiting 
bandwidth policy andra ldw priority . - :~ 

Bulk-data non-interactive applications, such as SMTP and 
NNTP, should be guaranteed a small bandwidth minimum so 
that they are not totally squeezed out by congestion or control 
policies. ; . . : „ . " 
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• Bulk-download, nominally interactive applications; such as FTP - 
or some HTTP downloads, are commonly used in a variety of 
situations, ranging from critical to casual. Differentiating . 
various types of usage in this case can usually be made only on: 
the basis of file types and/or source or destination addresses. In i • 
this case , a small minimum can be guar anteed for more i ; ^ :^ ; ~ 
important use. ■ V ; — V* - *" '» 

• In bulk-download applications (e. g.^ file size> 20 K Bytes), : t : 
overall congestion and burstiness can be controlled by slightly 
limiting this traffic, even if it is just a little below the total' ;< v / < : v * 
available bandwidth (e.g., 90%); The present tool can provide 1 ; - 
smoothing controls on this traffic without impacting overall - * :T > r ^ <3 
perceptible performance for these downloads. This'is - r E r 

■ . particularly useful at lower link speeds (128 K and below), v v ; t - >1 

• Mission critical applications, such as Lotus Notes, Oracle - '•*". ' J 
SQLNet, and LDAP, are controlled best by setting a high : ^n" 

priority with a guaranteed bandwidth minimum. ' " 

The above provides some guidelines for commonly used applications according to the present 
invention. Using the above guidelines, the present tool can effectively allocate bandwidth on 
a network, for example. Again* the above guidelines are merely examples and should not 
limit the scope of the claims herein. . >^ ; v : . . ^ r 

In a specific embodiment, the present tool provides a comprehensive, flexible, 
rule-based paradigm for implementing traffic control, as illustrated by a simplified flow ' 
diagram 800 of Fig. 8. This flow diagram 800: is merely an illustration and should not limit 
the scope of the claims herein. One of ordinary skill in the: art would recognize other 
variations, modifications, and alternatives. Before explaining the flow diagram, it may assist 
the reader by reviewing, some general terms used herein. : 
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These tenns include, among others, "rules" and "classes" and "policies. " 
Rules can be created for very specific groups of flows or more general. groups of flows, 
which are commonly all the stuff that transmits to and from a link to a gateway point. 
Groups of flows are also referred to as traffic classesV but are not limited to such classes. 
Classes also can be defined by source, destination, application* file types, URLs, and other, 
, features. Policies can be specified to control traffic .flows in terms of overall bandwidth 

• ; v . ; : ■" ' ■ ■„ . - ... 

guarantees, bandwidth limits, priority of service, how individual sessions within a class are 
serviced or admitted, and other aspects. The present tool also has intelligent policy validation 
that prevents users from defining any contradictory or ambiguous rules, Policy validation is 
generally a higher .level check used by way of, the present method. 
' The/present method occurs at start, which is step 801, for example.. In 

general, a flow of information or data or packets of information enter a gateway point, where 
the present tool sits/ The present method classifies (step 803) the flow of information. 
Groups of flows can be referred to, as traffic classes, 1 but are not limited to such classes. 
Classes also can be defined bylsburce, destination, application, file types, URLs, and otlfer 
features. Other examples of classes were previously noted, but are riot limited to these 
1 ( classes. In general, step 803 classifies the flow of information received into one of a plurality 

ofpredeterminedclass.es. 

The present tool measures parameters for each of the classes in step 805, "which 
were received, for example. These parameters are based upon the policy or rule, which may 
be applied in a later step. As merely an example, parameters include the class itself, file 
sizes,, and Qther :; information, which can be used by the policy or rule to apply the policy or 
rule to improye the quality of service for the network. After measuring, the parameters, the 
present me.thod applies a time stamp (step 807) on the parameters to correlate the class of 
information received to a time, for example. 

c\ j f; t v ; A step of determining : whether to apply a policy occurs in the next step 809. 
For example, if thp class and the time (and the link state in some embodiments) meet 
predetermined settings, the policy is applied to the class in step 811 through branch 810. 
Alternatively, if one pf the elements: including the class, the time, or the link state do not meet 
the predetermined settings, the policy does not apply, and the process continues to measure 
parameters through branch 808. Alternatively , the process continues to measure parameters 
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through branch 821 after the policy is applied to the flow of information for the class. 

Depending upon the application, the policy is used to improve the quality of 
service of the network by performing at least one of a number of functions for the class 6f 
information from the flow. These functions include, among others, bandwidth guarantees, 
bandwidth limits, setting priorities, admission control. The present process can also halt or* 
stop as shown in step 815. The steps occur; in part, by way of the modules, which were? 
previously described, but can also occur using other techniques including a combiiiatipn of ; 

• i " ' . j; .' ' • . > 

hardware and software, for example. These sequence of steps are merely illustrative and - : 
should not limit the scope of the claims herein. One of ordinary skill in the art t would * ; t ^ 
recognize other modifications, alternatives, and variations. : 

In a preferred embodiment, the present invention uses a variety of graphical - 
user interfaces for profiling and monitoring traffic. Figs. 9A-15 are simplified 
representations of graphical user interface^ for monitoring traffic according to the present 
invention. These representations are merely illustrative and should not limit the scop? of the 
claims herein. One of ordinary skill in the art would ^ recognize ^ other y^iations, s -x, S-v -j 
modifications, and alternatives. , ^ r: ' : : \ ^ ^i;^ . ^'r- z v/J.v 

Fig. 9A is a simplified flow diagram 950 of a profiling method according to - ; 
the present invention. Profiling or monitoring traffic can occur using one of a plurality of 
user interfaces or graphical user interfaces. The present invention provides aiprofiles tab 
953, which can be selected using a mouse or keyboard interface. The present method begins 
with a start step, which is step 95 1 . Upon selecting a profiles tab 953 , one of a plurality of 
tabs is prompted. These tabs represent services 957, server 959, and client 961. These tabs 
display relevant traffic statistics by every active service, server and client;, respectively. By 
selecting one of the tabs, the present tool sorts data or information in ascending order by 
clicking on any header (e.g., Kb Transferred), as illustrated by Fig. 9 for a. service tab 900. 
Other functions that can be performed using one of the; profiles and the graphical user 
interface include: 

• Click the Refresh button, all data is updated from the profiling engine. 

• Click the Reset button 907, clears all the respective data from the profiling 
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• Click the Save As 909 button to save the respective, data to a log file. The data 
1 - is saved as tab-separated text. 

Each of the present user interfaces also includes function keys 901 and a tool bar 903. Upon 
selecting the r profiles tab, a profiles light or display indication illuminates 91V. As shown, the 
main profiles tab also includes tabs for services 913, server 915, arid client 917. Additional 
features of the vairious tabs including the services tab, the server tab, and the client tab are 
described below and refer to Figs. 9, 10, and 11, respectively, but are not limited to these 
descriptions.*: 1 \' : 

.x, .:" 1. t . Services Tab | i ' 
<yAi o * :r , v Tigj 9 is a simplified diagram 900 of a representation of a graphical usfer 
interface for a setVifces tab 1 iadcording to the present invention. In particular, the dialog box" 
displays cumulative traffic statistics for selected applications. The services tab, which can be 
selected by default, provides the following information: " 

' Service Name ~* 
This field 919 shows what services (e.g., All Services, FTP, HTTP, SMTP, 
POP3y SSL) the network uses. Summary statistics for all services (e.g., 
inbound or outbound) are also shown. Traffic from services that are not 
recognized by the present tool are indicated as Others'. 

-Direction < l \:; . : * - - 

1 * This field 919 indicates whether the service is inbound or outbound. 

Note: Inbound and Outbound refer to the direction of data flow, not the 
; request. • - - -■ • ■ - k 

Kb Transferred : - . 
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This field 923 shows the amount of data transferred in inbound or outbound 
direction. As shown, the amount of data can be in kilobits transferred. 
Additionally, the amount of data can be referred to as a percentage of all 
services.' . • •. . 1 _ ; '■' ■ ] '* : • 

' ■ '■ ' . ! - ' 

Connect Response Time ' i ^ V ■ 

This field 925 indicates an average time; to establish a session., The connect 

■, ' ' ; . ■ 

1 response time is in milliseconds, but is not limited to this time;, The minimum; 
and maximum connect response time is also, shown in parenthesis; : > . j 

Request Response Time ( , ..\ .* ■ 

This field 927 indicates an average response time for an application request. 
The request response time is in milliseconds, but is not limited to this time. 
The minimum and maximum request response time is also shown in 
parenthesis. •. : _ • . - : ■; A • ; 

Note: This measure is application specific and does not apply to all services. 
For example, for HTTP, it is the time taken by a URL to start sending 
data after a request for a file was made by a Web browser. 

Total Sessions - 

This field (not shown) indicates the total number of sessions established for this 
service. : 

Retries . >v . ; - ; \ : 

This field (not shown) indicates the; percentage of connect requests that needed 
to be retried. Retries can result from network congestion, packets dropped in 
the network or server congestion. ~ 

Server Aborts • -v_, >] ■.; 

This field (not shown) indicates the percentage of sessions aborted by the 
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I 

server.- - . ■ / * 

• ..Time • ■ - ■. • ".■ ,'' 

This field (not shown) indicates the last time the service was active. 

2. ' Server Tab j , "■' 

i . , 

■ Fig. 10; is a simplified diagram 1000 of a representation' of a graphical' user i 

interface fbr a server tab according to the; present invention. Upon selecting or clicking the 
server tab 915, screen 1000 appears. The dialog box displays cumulative traffic statistics for 
every active server. The server tab provides the following information, but is not limited to 

such information: 

- . » i '. 

• 1 ' ' ' 

v * Server-'^ >. ;.■"'.* j ... 

" This field 1001 shows: the server host name, URL or IP address. Suirimary 
statistics for all servers are also shown. 

:^:u -v: V : Note: - - : ..* u * : •" 

« V' i V • In one aspect of the invention, the present tool can profile up to 256" 

servers. Subsequent traffic from new servers are indicated as 'Others' . 

• Host names can also be displayed in some embodiments. 

Kb Transferred 

This field 1003 shows the amount of data transferred from the server. As 
shown, the amount of data can be in kilobits transferred. Additionally, the 
; amount of data can be referred to as a percentage of all services. 

Round Trip Time 

This field 1005 indicates an average round trip delay for packets sent to the 
server. The round trip time is in milliseconds, but is not limited to this time. 
■■■■ .The minimum and maximum round trip time is also shown in parenthesis. 
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Connect Response Time , , > 

This field 1007 indicates an average time to establish a session with the server. 
The connect response time is. in millisecondis, put is not limited to this time.;.. 
The minimum and maximum connect response time is also $hown in . 
parenthesis. ; ■ ' - - :( - ; m : — >\ : .: .~i 

.'■ n . .*. ■■■ ■ 1 '■ 

Total Sessions 1 

This field 1009 indicates the total number of sessions, established to the server. 

! ! ' ' ■ ' 

Retries 1 

This field (not shown) indicates the percentage of connect requests that needed 
to be retried. Retries can result from network congestion, packets dropped in 
the network or server congestion. 

Server Aborts ■■••<< •'. .': '-i. :T 

This field (not shown) indicates the percentage of sessions aborted by the 

server. V ' 

Access Speed 

This field (not shown) indicates the bottleneck speed for the route, between the 
present tool as a host and a server. . . . : >.\ 

Data Retransmits . 

This field (not shown) indicates the percentage of data packets that were 
retransmitted by the server. r ( :; . 

Time . : . ; -, ■ . , 3 ■ : . ,•• — .v.. 

This field (not shown) indicates the last time data was received from the 
: server. . - r \ : . ; Vr. / : \v "..V / * . " '.»' ' 
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3. Client Tab r 

Fig. 1 1 is a simplified diagram 1 1 100 of a representation of a graphical user * 
interface for a client tab according to the present invention'. When the client tab 917 is , 
selected oi is clicked using a user interface, screen 1100 appears. The dialog box displays the 
cumulative traffic statistics for the clients. The client tab provides the following information, 
but is not limited to such information: , ' t : i 11 , 



f 

i 



Client; ' ■,, " V- '* 

This field 1 101 shows the client host name' or IP address. Summary statistics 
for all clients are also shown. 1 , ' 1 • 



Note: The present tool can profile up to 256 clients in some embodiments 
'« * Subsequent traffic from the clients are indicated as 'Others'. 



Kb Transferred 

This field 1103 shows the amount of data transferred to the client. As shown, 
the amount of data can be in kilobits transferred. Additionally, the amourifof 
data can be referred to as a percentage of all services. 



Round Trip Time 

This field 1105 indicates an average round trip delay for packets from this 
client. The round trip time is in milliseconds, but is not limited to this time. 
The minimum and maximum round trip time is also shown in parenthesis. 



Connect Response Time 

This field 1 105 indicates the average time to establish a session from the client. 
The connect response time is in milliseconds, but is hot limited to this time. 
The minimum and maximum connect response time is also shown in 
parenthesis. 
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Total Sessions , 

This field 1109 indicates the total number of sessions established from the ; 
client. 1 . •■. ■> - [ '■•['• |! - ■'. 

Retries * /■■■■ - ; • '•■/*. 

This field (not shown) indicates the percentage of connect requests that needed 
to be retried. Retries can result from network congestion; packets dropped in 
the network or server congestion. - 1 < ; 

• , . ■ ■ ■ .! ■- ■ • . ^ j-,;;;'- - 

Server Aborts •'. '< — - 

This field (not shown) indicates the percentage of sessions aborted by the ' 

^ server;;.. • \" . - ; H . -1 : • "-■ > v.- ' ;:; - - - • - 

..Time- .. ■; : - •» ' V 

This field (not shown) indicates the last time the client received data: ^through 
the link used by the present tool. 

The present invention provides the aforementioned tool for profiling a variety of information 
from a flow of information at a communication link. The tool has an easy to use graphical 
user interface, which can sort information by at least services, client * or server, depending 
upon the application. The illustrations shown are merely used as examples and should not 
limit the scope of the claims herein. 

In a specific embodiment, the present invention with graphical-user interface 
begins profiling upon installation. In particular, the present tool is installed onto a server to 
automatically start profiling traffic in inbound and outbound directions without any further 
configuration. The present tool can be stopped and restarted manually froth a user interface. 
While the present tool is stopped, profiling is interrupted temporarily. ' 

The present invention provides additional easy to use graphical tools to monitor 
and profile traffic. In one aspect, the present invention takes advantage of a Windows NT™ 
Performance Monitor to monitor traffic for any measurement or control rule that is created. 
In another aspect, the present invention can launch the Performance Monitor from the 
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'Administrative Tools' Program group and select counters for monitoring incoming and 

outgoing traffic from a link. , . t , h * 

Fig. 12 is a simplified graphical user interface 1200 ito launch a performance 
monitoring tool according to the present invention. This interface is merely an illustration 
and should not limit the scope of the claims herein. A method for launching the present tool 
1 pccurs,.in part, by selecting or clicking on the : performance monitor tab 1201: The display 

i- ' ! * " * i 

shows available traffic? classes 1201 (e.g., FTP, HTTP,. PointCast), which have been Idefined 
in the traffic policy. Note that a traffic class is not a rule. There may be; more than one rule 
that belongs to the same traffic class. Traffic classes are created when rules are edited. A 
traffic class is defined by at least a source, destination, and service properties. The display 
includes a group, of option buttons 1207 titled monitor, which allows a user to specify 
whether the user wants to monitor bandwidth consumption 1209, connect time 1211, or 
connect retries 1213 for the selected classes. A prompt box 1215 above the option buttons 

i t 

1207 provides a brief explanation of the selected option. A Launch button 1205 launches the 
pejfftnnangfeixionitor too ; .To launch the present performance monitot tool: , ^ 

1. Select one or more traffic classes 1203 in the list. 

I 2. Choose monitor by clicking on an appropriate option button (e.gT; 

, ; ; ^ bandwidth consumption, response time, failures) 1207 in the monitor 

group. 



: 3./ . Push launch button 1205. : . 

. A&merely an example, Fig.13 is a simplified graphical user display 1300 for 
bandwidth consumption according to the present invention. As shown, the Fig. is an example 
of Class Bandwidth 1305 monitoring for a* few services 1307 such as FTP, HTTP, etc. over a 
56 Kbit Internet link. The vertical axis 1302 illustrates a bandwidth scale from "0" to "56.0" 
kbit? and the horizontal axis represents . time 1306. The plurality of line plots 1304 each 
represent one of the services 1307, which are each color coded 1301 for easy reading by the 
user. The display also includes an object 1309 and a computer 1311, which is being used to 
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monitor the traffic. Accordingly, the present display includes a graphical portion 1310 and a 
text portion 1320. The graphical portion includes the plurality of plots representing the 
services for bandwidth consumption as functions of time. The text portion is in the form of a 
legend, but can also include other information.; , 1 1 1 

The illustration in the above Fig. is merely an example and should not 

i 1 . 1 ' f , . i' ■' '• , : . ■ ■ 

limit the scope of the claims. Although the present example has been described hi terms" of 
bandwidth consumption, the present performance monitor tool can also be used to monitor af 
variety o£ other parameters, as discussed above. Iliese other parameters include; among' 7 
others, connect time, or connect retries for the selected classed. Furthermore, the pfesent tool 
has other types of charts such as a bar chart, a pie chart, and the like. Of couirse, the ' * T 
parameter being profiled and monitored depends upon the application* -v: > ■ : - L 

In an alternative embodiment, the present invention provides a user interface - 
for modifying the plots or charts, such as the one previously described, as well as othersi- :< 
Fig. 14 is a simplified interface tool 1400 used to modify chart styles, scales; charting ^ I' iri 
intervals etc. This! tool is merely an example and should not limit the scope of the claims 
herein. The present tool has an "OK" button for saving or storing selected fchart options. A 
"cancel" button 1403 is also shown to delete or remove selected chart options. A help button 
1405 is shown to identify features of any of the chart options. Numerous chart options 1407 
exist. For example, options include, among others, a legend,a value bar* a vertical grid, a 
horizontal grid, and vertical labels. To select any one of these options, the user clicks onto 
the box located next to the option or enters the underlined key designating the option. Chart 
options also include a gallery 1409, either in graph or histogram form. Additionally", the 
chart can have a maximum vertical scale 1411 such as the 56 for 56 kbits/second. , - * 
Furthermore, the chart can have a refreshing or updating cycle time 1413: In ohe aspect, the 
cycle time can be manually updated. . Alternatively,- the cycle time can be periodically : 
updated. When using the periodically updating feature, a time interval (e.g., seconds) needs 
to be specified and entered into a field, as shown. - - 

Fig. 15 is a simplified graphical user interface 1500 for adding or specifying an 
additional chart according to the present invention. This interface or tool is merely an 
example and should not limit the scope of :the claims herein. This interface allows the user to 
select the parameters to be monitored on the chart. These parameters include, among others; 
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the computer to be monitored 1507, the object 1509, the counter 151 1, and the instance 1514. 

Depending on the types of parameters being monitored or profiled, specific visual details of 

the plots or charts are also selected. These details: include the plot color 1513, the plot width 

1519, the plot style 1517, and others. A counter definitiiDn 1515 is also made or selected. 

Once all the changes have been made or selected, the user can add the changes to be 

, monitored by the.tool by pressing or selecting the ddd.button 1501. Alternatively, the user 

may^start over .by selecting the cancel button 1503. If the user .would like an explanation on 

any one of the /features described in the tool, the user may selected either the explain button 

;1505;OF the help button 1506. Of course, this user interface is merely an example and should 

not be limiting any: manner outside the spirit and 'scope of the claims! 

' In yet an alternative aspect, the present monitoring or profiling tool has a save 

feature foi;;storing the chart or plot. In particular, the present iool can save snapshots of 

i ■ 
measurements, tp a>disk file or the like. As merely an example, the present tool saves 

snapshots jUsing..th&fQUo3ying .sequence -of steps, which should not be construed as limiting:' 

-i.ro !rq- @Q:to yjew/log in the tool to configure a log file; 
V.. . : c< .* ^rf / Add measurements to the file and start and/or stop logging. ; " 

.>i - I s , Furthermore, the present tool provides congestion, utilization, and ^ 
performance degradation reports, which make day to day -troubleshooting much simpler and 
serve to justify or validate policy setting decisions. For example, a chronic problem affecting 
a service through a day period (i.e., 24 hour) can be monitored by a combination of real-time 
monitoring, which. will be described in more detail below, and congestion reports. By 
monitoring and using; the. reports, it may be determined that the affected service is not getting 
its due share of bandwidth, or a limitation exists with the server or in the Internet backbone. 

Conclusion . * 

, .[f. I* 1 ^ e foregoing specification, the invention has been described with reference to 
specific exemplary embodiments, thereof. Many changes or modifications are readily 
er^yisioned. : For example, the present invention can be applied to manage a variety of 
TCP/IP network traffic types for the Internet and Intranet. Further^ the techniques 
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can also be applied to Novell SPX, Xerox XNS or any protocol with a similar 'flow- 
control 1 design that utilizes windows and acknowledgment signals (similar to ACK). 

Alternative embodiments of the present invention can also be applied to a 
'legacy' private WAN running IP as well as native Novell protocols if there is a need, 
(e.g., file server and client/server traffic). Further, embodiments of the present 
invention can include monitoring, billing, and reporting features, thus allowing for 
enhanced client billing and internal cost accounting of network usage. ' -y 1 : 1 * ; i , 

These techniques are preferably implemented within a firewall platform 
to solve the provide the following benefits: bidirectional bandwidth management of 
network links carrying TCP traffic; reactive (short- time scale) and proactive (long time 
scale) control mechanisms; and gateway (local) and end-end (global) techniques for 
bandwidth control. r 

This solution reduces their contribution to congestion in the Internet; and operation in 
a present day heterogeneous wide area networks, such as the internet, without ' 
requiring any client, server or router changes. 

The specification and drawings are, accordingly, to be regarded in an illustrative 
rather than a restrictive sense. It will, however, be evident that various modifications and 
changes may be made thereunto without departing from the broader spirit and sbope of the k 
invention as set forth in the claims. 
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WHATTS CLAIMED IS: 



t 1 

1 



1 r ' 1 - A graphical user interface for moiiitbring a flow of information coupled 

2 to a network of computers, said- graphicaluser interface comprising: 

3 a< display comprising. at least a. first portion and a second portion, said 

4 first portion comprising, a graphical chart representing said flow of information, said second 

5 portion comprising text . information describing said flow of information. " 

...... ; ■ ' •" v. ■ ' , - ' • 

.■; , ■ - ' ; /- 

1 ..^.2^ The interface of claim 1 wherein said graphical chart comprises 

2 bandwidth consumption. 1 



The interface of claim 2 wherein said bandwidth consumption is a plot 



2 of bandwidth consumed against time. 

1 r A The interface of claim 2 wherein said bandwidth consumption is a 

2 plurality of plots, each of said plots representing consumed bandwidth against time. 

1 5. The interface of claim 2 wherein said flow of information comprises one 

2 of a plurality of traffic classes. 

1 6. The interface of claim 1 wherein graphical chart comprises a plot of 

2 failure rates against time. 

1 7. The interface of claim 1 wherein said graphical chart comprises a plot 

2 of delay rates against time. 

1 8. The interface of claim 1 wherein said display is outputted on a 

2 computer monitor. 
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1 , 9. The interface of claim 1 wherein said display is a real-time display of a 

2 portion of said flow of information. 

. ■ .■'■,v«-;^ ■ /f ""■ ' !• , /,,v ' , ' ' 

1 .10. The interface of claim 1 wherein said graphical chart is Selected from a 

2 graph, a histogram, a bar chart, and a pie chart. 

1 11. A computer network system, said computer network system 

2 a real-time bandwidth profiling tool, said real-time bandwidth profiling tool comprising a 1 

3 graphical user interface on a monitor,, said graphical user interface comprising at least -a first 

4 portion and a second portion, said fir?t portion comprising a graphical chart representing said : 

5 flow of information, said second portion comprising text information describing, said flow of ^ 

6 information. 



1 !2. The computer network system of claim 1 1 ^ wherein said graphical chartv 

2 comprises bandwidth consumption. \r, ; : ;h ; - * i s 

1 13. The computer network system .of claim 12 wherein said bandwidth 

2 consumption is a plot of bandwidth consumed against time. 

1 14. The computer network system of claim 12 wherein said bandwidth 

2 consumption is a plurality of plots,, each of said plots representing "consumed bandwidth 

3 against time. >;"*■"■ c 

1 15. The computer network system of claim 12 wherein said flow of 

2 information comprises one of a plurality of traffic classes^ ' ' ' 

1 16. The computer network system of claim 11 wherein graphical chart is 

2 selected from a plot of failure rates against time or a plot of delay, rates against time. 

1 17. The computer network system of claim 1 wherein said graphical chart is 
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• t ! • t 

selected from a graph, a histogram, a bar chart, and a pie chart. • 

18. A network management method, said method comprising stleps of: 

' " " . , • •.' ' ■"' '* ' / ■ • • ' i* ' 

measunng a data rate for a flow of information from an incoming source 

coupled to a network of computers; ; 

categorizing said data rate from said flow 1 of information based upon at least 
: one of a plurality of traffic classes; - 't , ' 1 • . , ' 

- i-r. outputting a visual representation of said data rate in graphical form on a 

.-^display;. and, ^ ; / ■ ( iK [ 

. ; - : outputting a text representation of said one of said plurality of traffic classes on 

v said display. }/ 

19. The method of claim 1 8 wherein said data rate is a baud rate. 

j . i 

b 12.0'Jc \i ! - The method of claim 18 wherein said visual representation is a real time 

histogram of said data rate. 

jr : '. V 21. The method of claim 18 wherein said text representation comprises text 

for said one of said plurality of traffic classes. - l 

( : 22. . A computer system comprising a bandwidth profiling tool, said 

bandwidth profiling tool being stored in computer memory, said computer memory 
comprising: 

a first code that is directed to measuring a data rate for a flow of information 
from an incoming source coupled to a network of computers; 

a second code that is directed to categorizing said data rate from said flow of 
information based upon at least one of a plurality of traffic classes; 

a third code that is directed to outputting a visual representation of said data 
rate in graphical form on a display; and 

a fourth code that is directed to outputting a text representation of said one of 
said plurality of traffic classes oh said display. . . . . r - ' 
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